Decouple NodePort Creation from Target Group Updates in NLB #4410
Description
Describe the feature you are requesting
Motivation
Describe the proposed solution you'd like
Describe alternatives you've considered
Contribution Intention (Optional)
-[x] Yes, I am willing to contribute a PR to implement this feature
-[ ] No, I cannot work on a PR at this time
Description
When using Network Load Balancers with the AWS Load Balancer Controller, the creation of NodePort objects is currently coupled with target group updates. This coupling can lead to service disruptions when target group limits are reached (e.g., 1000 target limit).
Current Behavior
Controller attempts to create/update target group
If target group update fails (e.g., hitting target limit)
NodePort object is not created
Health checks fail due to missing NodePort rules
Results in service disruption
Desired Behavior
Create NodePort object first
Update security group rules for new NodePort
Then attempt target group creation/update
If target group update fails, existing traffic can still flow through established NodePorts
Benefits
Reduced service disruptions during target limit situations
Maintain health checks even when target group updates fail
More graceful degradation when hitting service limits
Use Case Example
Running large-scale workloads with:
Multiple NodePorts per service
High number of targets
Need for continuous health check passing
Zero-downtime requirements during scaling events
Technical Considerations
NodePort creation independent of target group status
Security group rule updates before target group modifications
Proper cleanup of orphaned NodePorts
Backward compatibility with existing implementations
Additional Context
This issue was identified when a service with multiple NodePorts hit the 1000 target limit, causing all health checks to fail simultaneously due to missing NodePort objects.
/kind feature-request
/area load-balancing
/priority important-longterm